Description
Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.
Published: 2026-05-14
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in Stel Order versions 3.25.1 and earlier. The vulnerability resides in the /app/FrontController endpoint where the legalName and employeeID parameters are accepted without proper sanitization. Malicious code injected through these fields is persisted in the database and executed whenever other users or administrators view the affected pages, allowing an attacker to steal session cookies and hijack user accounts.

Affected Systems

The affected product is Stel Order (vendor Stel Order). All releases up to and including version 3.25.1 are impacted; newer releases may not contain the flaw.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS is not provided and the vulnerability is not listed in CISA’s KEV, suggesting no known widespread exploitation at present. The likely attack vector is client‑side via the web application, where an attacker or a compromised user can submit malicious input. Once the input is stored, any user who accesses the affected sections will have the script executed in their browser, enabling theft of credentials and potential account takeover. The exploitation effort is low, requiring only that the attacker can place input into the vulnerable fields.

Generated by OpenCVE AI on May 14, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version that removes the input sanitization flaw.
  • Limit access to the legalName and employeeID inputs so only privileged users can modify them.
  • Implement strict input validation and output encoding to ensure user‑supplied data is safely rendered.
  • Deploy a Content Security Policy to restrict the execution of inline scripts and mitigate the impact of any remaining XSS payloads.

Generated by OpenCVE AI on May 14, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters. The lack of proper input sanitization allows an attacker to inject malicious code that is persistently stored in the database. When other users or administrators access the affected sections, the code executes in their browsers, enabling the theft of session cookies and account hijacking.
Title Stored Cross-Site Scripting (XSS) vulnerability in Stel Order
First Time appeared Stel Order
Stel Order stel Order
Weaknesses CWE-79
CPEs cpe:2.3:a:stel_order:stel_order:*:*:*:*:*:*:*:*
Vendors & Products Stel Order
Stel Order stel Order
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Stel Order Stel Order
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-14T13:47:51.077Z

Reserved: 2026-04-08T12:41:41.410Z

Link: CVE-2026-5790

cve-icon Vulnrichment

Updated: 2026-05-14T13:47:47.055Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T13:16:21.173

Modified: 2026-05-14T16:46:53.510

Link: CVE-2026-5790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses